====== FreeIPA/Samba integration ======

This was more complicated than it probably should have been due to the IPA domain not matching the truenas host domain, I think.

  * Setup FreeIPA servers for Samba, run the following on all servers: <code bash>
dnf install ipa-server-trust-ad
ipa-adtrust-install
</code>
  * Setup TrueNAS
    * Credentials->Directory Services->Show Advanced
    * Add Kerberos Realm
      * Realm: ''IPA.SIHNON.NET''
      * Primary KDC: pick one of the IPA servers
      * KDC/admin servers/password servers: List all the IPA servers
    * Add a ''host/fqdn@IPA.SIHNON.NET'' keytab
    * Configure Directory Services
      * Configuration type: IPA
      * Enable Service, Enable Account Cache, Enable DNS Updates
      * Timeout: 10s
      * Kerberos Realm: IPA.SIHNON.NET
      * Credential type: Kerberos Principal
      * Kerberos Principal: The host keytab uploaded previously
      * Target Server: pick one of the IPA servers
      * TrueNAS hostname: short hostname
      * Domain: ipa.sihnon.net
      * Base DN: dc=ipa,dc=sihnon,dc=net
      * Validate Certificates
      * For SMB, don't use defaults
        * Name: IPA
        * Domain: ipa.sihnon.net
        * Rest of the attributes at default
    * Edit ''/etc/krb5.conf'': <code>
[libdefaults]
        dns_lookup_realm = false # change from true
        dns_lookup_kdc = false # change from true

[domain_realms]
        # Add these two lines
        jellybean.sihnon.net = IPA.SIHNON.NET
        .jellybean.sihnon.net = IPA.SIHNON.NET
</code>
    * Restart ''winbind'' service

When connecting from a non-domain joined Windows, it won't prompt for credentials and will fail. Must explicitly map a drive, using IPA domain creds first. Subsequent connections to the same hostname will reuse the credentials, so not all shares need to be mapped.

====== ACME ======

For the first server, follow the below instructions.

  * Create a tsig key for nsupdate: <code bash>
tsig-keygen -a HMAC-SHA512
</code>
  * Update the key name to ''truenas.''
  * Distribute the key to nameservers via puppet (hiera key ''profile::freeipa::named::keys''), and make sure bind has been restarted to pick up the change
  * Create ''data/system/acme'' datasets
  * SSH to the host as ''truenas_admin'' and run the following: <code bash>
sudo chown truenas_admin /mnt/data/system/acme
git clone --depth 1 https://github.com/acmesh-official/acme.sh.git
</code>
  * Save the tsig key to ''/mnt/data/system/acme/.nsupdate.key'' (making sure the key name and secret match puppet)
  * 

For subsequent servers, clone the ''acme'' filesystem

For all servers:

  * Navigate to ''Credentials->Certificates''
  * Add an ''ACME DNS-Authenticator''
    * Name: freeipa
    * Authenticator: shell
    * Script: ''/mnt/data/system/dns_acme.sh''
    * User: ''root''
    * Timeout: 60
    * Delay: 90
  * Add a ''Certificate Signing Request''. Follow the wizard. LetsEncrypt doesn't use any of the subject attributes so set any values.
  * Once added, click three dots next to the CSR ''Create ACME certificate''
    * Name: letsencrypt
    * Accept ToS
    * Directory UI: LetsEncrypt Production
    * Set Freeipa for each domain
  * Once the ''letsencrypt'' CSR appears in the list, navigate to ''System-General''
  * Click the GUI ''Settings'' button
  * Select ''letsencrypt'' certificate under ''GUI SSL Certificate'' and save changes, confirming thr restart